July 7, 2022
By Mac Lillard, CPA, CFE, CISA, CRISC, CITP, Risk & Advisory Services Manager
If your organization follows Uniform Guidance requirements for procurement under 2CFR 200.320, you might be able to increase the threshold for making micro-purchases, or purchases that are subject to less strict compliance requirements. Does your nonprofit qualify as a low-risk auditee? Do you perform an annual risk assessment? If so, you might be eligible.
Increasing your micro-purchase threshold can drastically reduce the activities associated with processing smaller dollar value transactions, freeing up your staff time to focus on higher value tasks, like identifying and implementing process enhancements.
What is 2 CFR 200.320?
2 CFR 200.320 outlines the procurement methods to be followed for non-federal entities under Uniform Guidance. Within these methods are strict thresholds for certain levels of procurement. For example, procurements over $250,000 are subject to Simplified Acquisition Threshold and must undergo formal RFP/RFQ process. Organizations are free to reduce these thresholds to align with their size and context but cannot exceed the threshold for a given level of procurement.
Smaller purchases, called micro-purchases, are transactions that fall under informal procurement methods since they are less material and are performed regularly. Accordingly, the procurement requirements for these transactions are less rigorous and require less labor associated with processing because the perceived level of risk is lower. Since these transactions occur more frequently, organizations typically opt to set this threshold at the maximum to reduce the administrative burden under stringent compliance requirements. However, many organizations are missing out on the opportunity to increase this threshold by $40,000!
How can my organization increase its micro-purchase threshold?
2 CFR 200.320(a)(1)(iv) contains a clause that permits qualifying organizations to increase the micro-purchase threshold from $10,000 to $50,000. The qualifications are as follows:
a) Qualification as a low-risk auditee, in accordance with the criteria in §200.520 for the most recent audit
b) An annual internal institutional risk assessment to identify, mitigate, and manage financial risks
c) For public institutions, a higher threshold consistent with State law (not relevant for nonprofits and INGOs)
Organizations are required to complete an annual self-certification attesting to meeting the above requirements and must maintain this documentation for a minimum of 3 years to be made available to Federal agencies, funders, and/or auditors upon request.
Item a) is straight-forward, as support for low-risk auditee status will come directly from the Single Audit report issued by an independent accounting firm.
Item b) is slightly more complicated, as the regulation does not define what qualifies as an “internal institutional risk assessment.” Based on our analysis, we believe the following items together would qualify as the minimum to support an adequate internal institutional risk assessment under the guidance:
- Formally developed policies and procedures that govern the purpose, objective(s), and process for performing an annual risk assessment. Elements of a comprehensive risk management policy include, but are not limited to:
- Risk Identification – process for aggregating risk data across the organization’s critical functions/departments
- Risk Analysis – process for analyzing, quantifying, and prioritizing identified risks
- Risk Response – process for determining the appropriate response (i.e., mitigate, transfer, avoid, accept)
- Risk Mitigation – process for implementing corrective action and mitigation plans
- Risk Monitoring – process for monitoring the risk register and risk mitigation activities
- Formal Risk management Charter and/or Board Charter that outlines the responsibilities of management and the Board of Directors as it relates to risk management activities:
- Management – implements risk management activities and holds staff accountable
- Board of Directors – provides oversight of risk management process and holds management accountable
- Discussions of risk management activities should be captured in Board minutes
- Proof of Annual Risk Assessment through supporting documentation (i.e., detailed risk assessment report, risk register, handling plans, minutes from meetings, etc.).
How GRF Can Help
GRF specializes in providing high-quality consultancy services to our 750+ nonprofit and international non-governmental organization (INGO) clients. We assist our clients with the following:
- Facilitating the implementation of enterprise risk management practices including, but not limited to:
- Policy and procedure development
- Establishment of risk council
- Identification of top risks
- Facilitating the ERM maturity assessment to evaluate risk management program/activities and identify enhancements to the process. Activities include, but are not limited to:
- Benchmarking using the Capability Maturity Model or other framework (i.e., ISO 31000, COSO)
- Develop path forward with detailed roadmap to achieve ERM objectives
- Strengthening existing ERM activities through trainings, presentation, workshops, coaching, ongoing support and advanced ERM implementation
For more information on how GRF can assist your organization in implementing adequate risk management activities to qualify for the increased micro-purchase threshold, contact our Risk and Advisory Services Manager, Mac Lillard, or visit our Enterprise Risk Management Resources Page.
Mac Lillard, CPA, CFE, CISA, CRISC, CITP
Manager, Audit and Risk Advisory Services